US10693854B2 - Method for authenticating a user, corresponding server, communications terminal and programs - Google Patents

Method for authenticating a user, corresponding server, communications terminal and programs Download PDF

Info

Publication number
US10693854B2
US10693854B2 US14/968,231 US201514968231A US10693854B2 US 10693854 B2 US10693854 B2 US 10693854B2 US 201514968231 A US201514968231 A US 201514968231A US 10693854 B2 US10693854 B2 US 10693854B2
Authority
US
United States
Prior art keywords
user
terminal
piece
authentication
authentication server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US14/968,231
Other languages
English (en)
Other versions
US20160173473A1 (en
Inventor
David Naccache
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Banks and Acquirers International Holding SAS
Original Assignee
Ingenico Group SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ingenico Group SA filed Critical Ingenico Group SA
Assigned to INGENICO GROUP reassignment INGENICO GROUP ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: NACCACHE, DAVID
Publication of US20160173473A1 publication Critical patent/US20160173473A1/en
Application granted granted Critical
Publication of US10693854B2 publication Critical patent/US10693854B2/en
Assigned to BANKS AND ACQUIRERS INTERNATIONAL HOLDING reassignment BANKS AND ACQUIRERS INTERNATIONAL HOLDING ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: INGENICO GROUP
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/50Secure pairing of devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/80Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/18Self-organising networks, e.g. ad-hoc networks or sensor networks

Definitions

  • the disclosure relates to the field of the authentication of users. More particularly, the disclosure relates to the field of the authentication of users in relation to services such as services for access to confidential information or again payment services.
  • the authentication of users in relation to services and more particularly online services is a source of problems.
  • the authentication of a user requires, on the one hand, the entry of a login type identifier by which the user's identity is communicated and the entry of a password (or a personal identification code) to make sure that the person is really the one who he claims to be.
  • a password or a personal identification code
  • An exemplary embodiment of the present disclosure relates to a method for authenticating a communications terminal belonging to a user with an authentication server connected to a gateway terminal by means of a communications network.
  • Such a method comprises, within the authentication server:
  • the predefined data transmission interface of said gateway terminal is a Bluetooth interface and the data transmission link between the authentication server and the user's communications terminal is a virtual Bluetooth link.
  • said method comprises:
  • the step of configuration by said authentication server of a data transmission link between said authentication server and said user's communications terminal comprises:
  • said at least one parameter of connection comprises at least one piece of data necessary for the building of the link between the communications terminal of the user and the gateway terminal.
  • said at least one parameter of connection comprises at least one piece of data belonging to the group comprising:
  • the technique also relates to a server for authenticating a communications terminal belonging to a user with an authentication server connected to a gateway terminal by means of a communications network.
  • a server for authenticating a communications terminal belonging to a user with an authentication server connected to a gateway terminal by means of a communications network.
  • Such a server comprises:
  • the technique as proposed relates also to an intermediate terminal and a user's communications terminal.
  • Each of these two terminals comprises means for implementing steps of the method that concerns it and especially means for creating a wireless connection in order to set up a secured link between the communications terminal and the authentication server.
  • the methods implemented described here below are then complementary to the method of authentication at the authentication server level.
  • the different steps of the method according to an exemplary embodiment of the disclosure are implemented by one or more software programs or computer programs that comprise software instructions to be executed by a data processor of a relay module according to an embodiment of the disclosure and are designed to command the execution of the different steps and methods.
  • the proposed technique is therefore also aimed at providing a program capable of being executed by a computer or a data processor, this program comprising instructions to command the execution of the steps of a method as mentioned here above.
  • This program can use any programming language whatsoever and can be in the form of a source code, object code or intermediate code between source code and object code, such as in a partially compiled form or in any other desirable form.
  • the disclosure is also aimed at providing an information carrier readable by a data processor and comprising instructions of a program as mentioned here above.
  • the information carrier can be any entity or device whatsoever capable of storing the program.
  • the carrier can comprise a storage means such as a ROM, for example a CD ROM or a microelectronic circuit ROM or again a magnetic recording means, for example a floppy disk or a hard disk drive.
  • the information carrier can be a transmissible carrier such as an electrical or optical signal which can be conveyed via an electrical or optical cable, by a radio or by other means.
  • the program according to the proposed technique can especially be uploaded to an Internet type network.
  • the information carrier can be an integrated circuit into which the program is incorporated, the circuit being adapted to execute or to be used in the execution of the method in question.
  • the proposed technique is implemented by means of software and/or hardware components.
  • module can correspond in this document equally well to a software component and to a hardware component or to a set of hardware and software components.
  • a software component corresponds to one or more computer programs, one or more sub-programs of a program or more generally to any element of a program or a piece of software capable of implementing a function or a set of functions as described here above for the module concerned.
  • Such a software component is executed by a data processor of a physical entity (terminal, server, gateway, router, etc) and is capable of accessing the hardware resources of this physical entity (memories, recording media, communications buses, input/output electronic boards, user interfaces, etc).
  • a hardware component corresponds to any element of a hardware unit capable of implementing a function or a set of functions as described here above for the module concerned. It can be a programmable hardware component or a component with an integrated processor for the execution of software, for example an integrated circuit, a smartcard, a memory card, an electronic board for the execution of firmware, etc.
  • FIG. 1 is a block diagram of the proposed technique from a general viewpoint bringing into play the terminals and the authentication server;
  • FIG. 2 describes an authentication server according to the proposed technique
  • FIG. 3 describes a user's communications terminal capable of implementing the proposed technique
  • FIG. 4 describes a gateway terminal capable of implementing the proposed technique.
  • the general principle of the proposed technique lies in the use of a communications terminal, the user's own terminal, to carry out an operation of authentication using another terminal. More particularly, the principle consists in initiating a pairing between a communications terminal of the user (for example a telephone) and an authentication server via another communications terminal of the user (for example a computer). According to the proposed technique, this pairing is carried out by using communications means proper to a first communications terminal (for example a personal computer or a tablet, a games console, etc.) called a gateway communications terminal from which the authentication is initiated.
  • a first communications terminal for example a personal computer or a tablet, a games console, etc.
  • a part of the authentication procedure (the one which consists for example in entering the password for access to a service) is implemented by a second communications terminal of the user in using third-party communications means which, for their part, are available from a first communications terminal called a gateway terminal.
  • the gateway terminal as envisaged in the present document is not a router, an access point or an operator's box: these apparatuses cannot enable the user to get connected to a service (for example a website of an online business, restricted access site, etc.) and enter identifier/password type connection data.
  • the gateway terminal is the terminal from which the authentication procedure is launched.
  • the gateway terminal is the initiator of the authentication procedure.
  • a wireless communications interface (Bluetooth, Wi-Fi) is implemented by the user's second communications terminal to get connected with the authentication server in using the gateway communications terminal. This is, in a way, a parasite interface operation.
  • the proposed technique furthermore comprises the setting up of a specific data transmission link between the authentication server and the second communications terminal.
  • a user wishes to get connected to an online service such as a bank service.
  • a computer or a tablet TCP# 1
  • a gateway terminal uses a computer or a tablet (TCP# 1 ), called a gateway terminal, he opens ( 50 ) an application (for example a browser) (this step is optional) and he asks ( 100 ) for a connection for authentication with an authentication server (ServA) (or else with the server of the service provider with which the user is connected by means of the gateway terminal [the server of the service provider then relays this request to the authentication server]).
  • the connection request transmitted by the gateway terminal or by a server to which the gateway terminal is connected enables the authentication server (ServA) to initiate the transaction and determine which device it must respond to.
  • the authentication server transmits ( 110 ) to the gateway terminal (TCP# 1 ) a request for identification (ReqId).
  • the content of this request for identification is explained here below.
  • the request for identification is optional. It serves for example to redirect the gateway terminal to a secured connection.
  • the gateway terminal (TCP# 1 ) uses ( 120 ) the content of this identification request (ReqId) to request ( 121 ) the user for entry of an identifier (Id_U) (such as an electronic mail address).
  • an identifier Id_U
  • this identifier is transmitted ( 122 ) by the gateway terminal (TCP# 1 ) to the authentication server (ServA).
  • the authentication server (ServA) Upon reception of this identifier (Id_U), the authentication server (ServA) makes a search ( 130 ) within a database (BddPm) for at least one piece of data representing a connection parameter or parameter (PmC) of connection to a communications terminal (TCP# 2 ).
  • This data representing a connection parameter (PmC) is obtained by means of the providing of the identifier (Id_U) of the user.
  • This data is then transmitted ( 140 ) to the gateway terminal (TCP# 1 ) possibly accompanied by an instruction for building a virtual connection between the server (ServA) and the communication terminal (TCP# 2 ).
  • the gateway terminal (TCP# 1 ) receives this connection parameter (PmC) and, through this parameter, it instantiates ( 150 ) a data transmission/reception link with the user's communications terminal (TCP# 2 ).
  • the user's communications terminal (TCP# 2 ) receives ( 160 ) from the gateway terminal (TCP# 1 ), a request (ReqAp) for pairing with said gateway terminal (TCP# 1 ), said pairing request (ReqAp) comprising data enabling a pairing with the user's communications terminal (TCP# 2 ) by the Bluetooth interface.
  • the content of the pairing request is explained here below.
  • the user's communications terminal (TCP# 2 ) receives ( 160 ) from the gateway terminal (TCP# 1 ), a request (ReqAp) for pairing with said gateway terminal (TCP# 1 ), the pairing request (ReqAp) comprising data for pairing with the user's communications terminal (TCP# 2 ) through the Wi-Fi interface.
  • the wireless transmission interface between the user's communications terminal (TCP# 2 ) and the gateway terminal (TCP# 1 ) is of relatively little importance although the Bluetooth interface is a preferred solution in terms of implementation, the Bluetooth interface enables easier pairing of a smartphone type terminal with a PC or tablet type gateway terminal: it is not necessary to set up an ad hoc network with a Bluetooth interface
  • the user's communications terminal (TCP# 2 ) makes a search ( 180 ) within an internal database and/or a secured storage space of the terminal for a piece of identification data (Id_S) of the authentication server (ServA). It compares ( 190 ) this piece of identification data (recorded within the terminal) with a piece of identification data received from the server.
  • the identification data received from the server is either present within the pairing request (ReqAp) or transmitted ( 170 ) by the server after the pairing. This makes sure that the user's communications terminal will not suffer any hacking attempt by a third-party server or a fraudulent gateway communications terminal.
  • the user's communications terminal (TCP# 2 ) When the user's communications terminal (TCP# 2 ) has checked the identity of the authentication server (ServA), the user's communications terminal (TCP# 2 ) sends ( 200 ) the authentication server (ServA) a piece of authentication data (DataAuth).
  • DataAuth a piece of authentication data
  • the authentication server Upon reception of this identification data (DataAuth), the authentication server (ServA) assigns ( 210 ) an assertion of authentication to the user (and therefore to the gateway terminal (TCP# 1 )).
  • the method described makes it possible not to have to enter a password to be able to carry out an authentication of a user with a service.
  • the only piece of data required to be able to carry out the authentication is a login.
  • the proposed method requires preliminary registration with the authentication server. This preliminary registration is described in detail here below.
  • the method described is based on the transmission of several requests. Only the requests specific to the technique described have been mentioned.
  • the identification request (ReqId) comprises for example an address (for example of a URL type) to which the gateway terminal (TCP# 1 ) must get connected before providing any unspecified information.
  • the connection parameters (PmC) include for example data needed for building a physical link between the user's communication terminal (TCP# 2 ) and the gateway terminal (TCP# 1 ).
  • these pieces of data there are especially the physical address (MAC address) of the user's communications terminal and possibly a piece of pairing code type data or Wi-Fi password type data.
  • This data is transmitted to the user's communications terminal to enable direct connection between the user's communications terminal and the gateway terminal. In the case of a Bluetooth pairing code, this is the pairing code of the authentication server.
  • the pairing request (ReqAp) comprises at least one piece of data for identifying the authentication server (ServA).
  • This piece of identification data (DIdServA) enables the user's communications terminal (TCP# 2 ) to make sure of the identity of the device that is attempting to send it an authentication request.
  • this identification data corresponds to an address (for example a MAC address) of the authentication server (ServA) encrypted through a public key of the user's communications terminal (TCP# 2 ).
  • an address for example a MAC address
  • this piece of identification data corresponds to an address (for example a MAC address) of the authentication server (ServA) encrypted by means of a private key of the authentication server (ServA).
  • an address for example a MAC address
  • other pieces of identification data are also included, in order to increase security.
  • an embodiment of the present disclosure makes it possible to carry out a pairing directly with the authentication server by using a data link “transported” by means of the gateway terminal.
  • the user's communications terminal is paired via Bluetooth with the authentication server (and not with the gateway terminal).
  • a Bluetooth link is set up not between the user's terminal and the gateway terminal (from which the user is trying to get connected) but actually between the authentication server and the user's terminal via the gateway terminal.
  • the authentication server can relay Bluetooth packets to the gateway terminal, by means of a TCP/IP link. These Bluetooth packets will be sent (as such) by the gateway terminal (which is not capable of understanding their contents). This makes it possible to create a sort of very long-distance virtual Bluetooth channel between the user's terminal and the authentication server.
  • the gateway terminal limits itself to implementing a translation of Bluetooth addresses in order to accurately route the data which travels between the user's communications terminal and the authentication server.
  • the authentication server implements a functional stack corresponding to the protocol used (for example a Bluetooth functional stack or a Wi-Fi functional stack) while the gateway terminal naturally implements at least one hardware stack corresponding to the protocol used (for example a Bluetooth hardware stack or a Wi-Fi hardware stack).
  • the gateway terminal also implements a functional stack corresponding to the protocol used, which is driven by a dedicated module.
  • a “Scatternet” type network can be set up with the gateway terminal playing the role of a “slave node” while the user's communications terminal and the authentication server both play a “master node” role.
  • the proposed technique comprises two distinct parts: on the one hand a method implemented on the authentication server side and on the other hand a method implemented by the user's client terminal. These two methods have in common the use of a gateway terminal in order to set up a long-distance wireless data transmission link. Inasmuch as only a small part of the link is actually a wireless link, this wireless link can be called a virtual wireless link.
  • the user's communications terminal and the authentication server In order to set up a connection between the user's communications terminal and the authentication server, it is worthwhile for the user's communications terminal and the authentication server to have hardware available for secured mutual recognition. More particularly, it is desirable for the user's communications terminal to have available at least one public key of the authentication server and for the authentication server to have available at least one public key of the user's communications terminal. The possession of these two items of hardware will enable the two entities to exchange data in secured form. In addition to these two elements, it is also desirable for the communications terminal to have available a piece of data to identify the authentication server and for the authentication server to have available a piece of data to identify the user's communications terminal.
  • the public keys which are made available to the user's communications terminal on the one hand and to the authentication server on the other hand are used to derive some session keys from the implementing of one or more challenges during a mutual key-exchanging procedure.
  • This procedure for creating session keys is implemented after or concomitantly with the establishment of the link between the user's communications terminal and the authentication server.
  • the gateway terminal is used only to transmit data on the physical channel (physical data transmission layer).
  • the authentication server implements a preparatory step in which it makes sure that the gateway terminal is truly capable of taking charge of the procedure for authenticating of the proposed technique.
  • the server :
  • the authentication server requests the gateway terminal for the installation of an application, called a gateway application for the sake of convenience.
  • This gateway application can for example take the form of a software module installed within the web browser used on the gateway terminal.
  • This gateway application can also take the form of an application directly executable by the operating system of the gateway terminal (for example WindowsTM or IOSTM or AndroidTM).
  • WindowsTM or IOSTM or AndroidTM an application directly executable by the operating system of the gateway terminal.
  • this application when this application is installed in the gateway terminal, it is this application that takes charge of the relay function for transmitting data between the user's communications terminal and the authentication server.
  • the application delivered by the authentication server itself comprises cryptographic hardware sufficient to ensure the confidentiality of the data relayed.
  • the user's communications terminal is a smartphone (in which a specific application is installed)
  • the gateway terminal is a laptop PC type computer
  • the authentication server is a bank server (it may be a physical bank server or a software bank server intended solely to carry out authentication).
  • a fourth entity comes into play in this case of use: it is the server of the e-commerce site which is used for the purchases made by the user.
  • the authentication server since the authentication server is assured of the authenticity of the user's identity, it does not ask for entry of information on the bankcard: it uses the bankcard associated with the user's account by his bank, when this information is available of course.
  • the e-commerce site transmits the information on the bankcard to be used directly to the bank server, when redirecting to the bank server.
  • the user is not obliged to enter the data of his bankcard whenever he wishes to make a payment.
  • an authentication server implemented to authenticate a user from a communications terminal (TCP# 2 ) different from an initial communications terminal according to the procedure described here above.
  • the authentication server comprises a memory 31 constituted by a buffer memory, a processing unit 32 , equipped for example with a microprocessor and driven by the computer program 33 implementing a method of authentication of a communications terminal.
  • the code instructions of the computer program 33 are for example loaded into a memory and then executed by the processor of the processing unit 32 .
  • the processing unit 32 inputs at least one piece of data representing a user identifier, from the gateway terminal.
  • the microprocessor of the processing unit 32 implements the steps of the authentication method according to the instructions of the computer program 33 to obtain the data needed to set up a virtual link between the terminal of the user and the authentication server in order to exchange, with the user's communications terminal, the data needed for his authentication.
  • the authentication server comprises, in addition to the buffer memory 31 , communications means such as network communications modules, data transmission means and if necessary, an encryption processor.
  • these means take the form of a particular processor implemented within the device, said processor being a secured processor.
  • this device implements an application or a particular module that is in charge of carrying out processing operations, this application or this module being for example provided by the manufacturer of the processor in question in order to enable the use of said processor.
  • the processor comprises unique identification means. These unique identification means ensure the authenticity of the processor and/or of the authentication server.
  • the authentication server also comprises means of searching, within a database, for data for connection to the user's terminal as well as means for obtaining encryption keys, for example asymmetrical encryption keys (public keys/private keys) used to generate verification data and counter-verification data during the authentication.
  • encryption keys for example asymmetrical encryption keys (public keys/private keys) used to generate verification data and counter-verification data during the authentication.
  • These means also take the form of communications interfaces enabling data exchange on the communications network, means of interrogation and of updating databases, etc.
  • a user's communications terminal comprises a memory 41 constituted by a buffer memory, a processing unit 42 , equipped for example with a microprocessor and driven by the computer program 43 implementing a method of authentication.
  • the code instructions of the computer program 43 are for example loaded into a memory and then executed by the processor of the processing unit 42 .
  • the processing unit 42 inputs at least one piece of data representing a pairing command for pairing with the gateway terminal (TCP# 1 ).
  • the microprocessor of the processing unit 42 implements the steps of the authentication method according to the instructions of the computer program 43 to receive a request for pairing from the gateway terminal (TCP# 1 ), make a search, within an internal database and/or a secured storage space, for a piece of identification data of the authentication server (ServA), compare this piece of identification data with a piece of identification data received from the server (for example within the pairing request), transmit a piece of authentication data (DataAuth) to the authentication server (ServA).
  • DataAuth piece of authentication data
  • the user's communications terminal comprises, in addition to the buffer memory 41 , communications means such as network communications modules, data transmission means and, if necessary, an encryption processor.
  • this means can take the form of a particular processor implemented within the device, this processor being a secured processor.
  • this user's communications terminal implements an application or a particular module that is in charge of carrying out exchanges, this application or this module being for example provided by the manufacturer of the processor in question (implemented within the terminal) in order to enable the use of said processor.
  • the processor comprises unique identification means. These unique identification means make sure of the authenticity of the processor and/or of the communications terminal.
  • a user's communications terminal additionally comprises means for storing a piece of reference data of the servers' identity and means for storing encryption keys. These means also take the form of communications interfaces for exchanging data on communications networks, interrogation means and database updating means, etc.
  • gateway communications terminal TCP# 1
  • TCP# 1 gateway communications terminal implemented to authenticate a user from a communications terminal (TCP# 1 ) according to the method described here above.
  • a user's communications terminal comprises a memory 51 constituted by a buffer memory, a processing unit 52 , equipped for example with a microprocessor and driven by the computer program 53 implementing a method of authentication.
  • the code instructions of the computer program 53 are for example loaded into a memory and then executed by the processor of the processing unit 52 .
  • the processing unit 52 inputs at least one piece of data representing an identity of a user (for example a login).
  • the microprocessor of the processing unit 52 implements the steps of the authentication method according to the instructions of the computer program 53 to transmit this identity to an authentication server; receive, from this authentication server, a parameter of connection to the user's communications terminal (TCP# 2 ); set up a connection between itself and the communications terminal of the user (TCP# 2 ) by means of the parameter received beforehand in transmitting a pairing request to the terminal and possibly an identity of the authentication server and receive, from the authentication server, an assertion of authentication when the authentication between the communications terminal (TCP# 2 ) and the authentication server has taken place accurately.
  • a user's communications terminal comprises, in addition to the buffer memory 51 , communications means such as network communications modules, data transmission means and if necessary an encryption processor.
  • these means can take the form of a particular processor implemented within the device, said processor being a secured processor.
  • this communications terminal of a user implements a particular module which is in charge of carrying out exchanges (especially exchanges needed to implement the virtual connection between the communications terminal TCP# 2 and the authentication server ServA), this module being for example provided by the manufacturer of the processor in question in order to enable the use of said processor.
  • the processor comprises unique identification means. These unique identification means ensure the authenticity of the processor and/or of the gateway communications terminal for purposes of preventing identity theft.
  • the user's communications terminal also comprises means for storing a piece of reference data of the identity of the server and means for storing encryption keys.
  • These means also take the form of a communications interfaces enabling the exchange of data on communications networks, means of interrogation and database updating means, etc.
US14/968,231 2014-12-12 2015-12-14 Method for authenticating a user, corresponding server, communications terminal and programs Active 2036-03-13 US10693854B2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR1462382A FR3030083B1 (fr) 2014-12-12 2014-12-12 Procede d'authentification d'un utilisateur, serveur, terminal de communication et programmes correspondants
FR1462382 2014-12-12

Publications (2)

Publication Number Publication Date
US20160173473A1 US20160173473A1 (en) 2016-06-16
US10693854B2 true US10693854B2 (en) 2020-06-23

Family

ID=53008600

Family Applications (1)

Application Number Title Priority Date Filing Date
US14/968,231 Active 2036-03-13 US10693854B2 (en) 2014-12-12 2015-12-14 Method for authenticating a user, corresponding server, communications terminal and programs

Country Status (7)

Country Link
US (1) US10693854B2 (fr)
EP (1) EP3032799B1 (fr)
BR (1) BR102015031254A2 (fr)
CA (1) CA2914426C (fr)
ES (1) ES2699925T3 (fr)
FR (1) FR3030083B1 (fr)
PL (1) PL3032799T3 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210243599A1 (en) * 2018-06-04 2021-08-05 Lg Electronics Inc. User authentication method through bluetooth device and device therefor
US20210389474A1 (en) * 2016-11-10 2021-12-16 Cable Television Laboratories, Inc. Systems and methods for interference detection in shared spectrum channels

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6965885B2 (ja) * 2016-08-19 2021-11-10 日本電気株式会社 情報処理装置、情報処理方法、及び、プログラム
US10757103B2 (en) * 2017-04-11 2020-08-25 Xage Security, Inc. Single authentication portal for diverse industrial network protocols across multiple OSI layers
US11688003B2 (en) * 2017-09-19 2023-06-27 The Toronto-Dominion Bank System and method for integrated application and provisioning
US11514424B2 (en) 2017-09-19 2022-11-29 The Toronto-Dominion Bank System and method for integrated application and provisioning
CN110303933B (zh) * 2018-11-09 2021-11-16 林德(中国)叉车有限公司 一种自动导引车的电池自动充电方法
US11227354B2 (en) 2019-05-20 2022-01-18 The Toronto-Dominion Bank Integration of workflow with digital ID
US11367059B2 (en) 2019-10-31 2022-06-21 The Toronto-Dominion Bank Integrated credit application and merchant transaction including concurrent visualization of transaction details
CN113691982A (zh) * 2021-08-03 2021-11-23 海尔(深圳)研发有限责任公司 用于蓝牙设备联网的方法及装置、服务器、移动终端、蓝牙网关设备
CN114513364B (zh) * 2022-02-25 2024-03-15 杭州涂鸦信息技术有限公司 一种服务授权方法及相关组件

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090287921A1 (en) * 2008-05-16 2009-11-19 Microsoft Corporation Mobile device assisted secure computer network communication
US20100058064A1 (en) * 2008-08-27 2010-03-04 Microsoft Corporation Login authentication using a trusted device
US20110265159A1 (en) * 2008-11-04 2011-10-27 Troy Jacob Ronda System and Methods for Online Authentication
US20140007211A1 (en) * 2012-06-27 2014-01-02 Nhn Corporation System, method and computer readable recording medium for linking television and smart phone using image authentication key
US20140096220A1 (en) 2012-09-28 2014-04-03 Juan Marcelo Da Cruz Pinto Device, method, and system for augmented reality security
US20150172920A1 (en) * 2013-12-16 2015-06-18 Mourad Ben Ayed System for proximity based encryption and decryption

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090287921A1 (en) * 2008-05-16 2009-11-19 Microsoft Corporation Mobile device assisted secure computer network communication
US20100058064A1 (en) * 2008-08-27 2010-03-04 Microsoft Corporation Login authentication using a trusted device
US20110265159A1 (en) * 2008-11-04 2011-10-27 Troy Jacob Ronda System and Methods for Online Authentication
US20140007211A1 (en) * 2012-06-27 2014-01-02 Nhn Corporation System, method and computer readable recording medium for linking television and smart phone using image authentication key
US20140096220A1 (en) 2012-09-28 2014-04-03 Juan Marcelo Da Cruz Pinto Device, method, and system for augmented reality security
US20150172920A1 (en) * 2013-12-16 2015-06-18 Mourad Ben Ayed System for proximity based encryption and decryption

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
English translation of the French Written Opinion for corresponding French Application No. FR1462382, filed Dec. 12, 2014.
French Search Report and Written Opinion dated Jul. 23, 2015 for corresponding French Application No. FR1462382, filed Dec. 12, 2014.
J´er´emie Albert, Tegawend´e F. Bissyand´e, Y´erom-David Bromberg, Serge Chaumette and Laurent R´eveill{grave over ( )}ere, UbiPAN: A Bluetooth Extended Personal Area Network, 2010 International Conference on Complex, Intelligent and Software Intensive Systems (Year: 2010). *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210389474A1 (en) * 2016-11-10 2021-12-16 Cable Television Laboratories, Inc. Systems and methods for interference detection in shared spectrum channels
US11686852B2 (en) * 2016-11-10 2023-06-27 Cable Television Laboratories, Inc. Systems and methods for interference detection in shared spectrum channels
US20210243599A1 (en) * 2018-06-04 2021-08-05 Lg Electronics Inc. User authentication method through bluetooth device and device therefor

Also Published As

Publication number Publication date
PL3032799T3 (pl) 2019-02-28
EP3032799A1 (fr) 2016-06-15
CA2914426C (fr) 2023-05-02
FR3030083A1 (fr) 2016-06-17
EP3032799B1 (fr) 2018-08-29
BR102015031254A2 (pt) 2016-08-09
FR3030083B1 (fr) 2017-07-14
CA2914426A1 (fr) 2016-06-12
ES2699925T3 (es) 2019-02-13
US20160173473A1 (en) 2016-06-16

Similar Documents

Publication Publication Date Title
US10693854B2 (en) Method for authenticating a user, corresponding server, communications terminal and programs
CN110337797B (zh) 用于执行双因素认证的方法
EP2974213B1 (fr) Konfiguration sans coupure d'un dispositif dans un réseau de communication
US20150281227A1 (en) System and method for two factor user authentication using a smartphone and nfc token and for the automatic generation as well as storing and inputting of logins for websites and web applications
US11282079B2 (en) Method for securing contactless transactions
JP5739008B2 (ja) 通信セッションを検証する方法、装置、およびシステム
US9124571B1 (en) Network authentication method for secure user identity verification
US20170372310A1 (en) Secure key based trust chain among user devices
US20160241536A1 (en) System and methods for user authentication across multiple domains
US20160098693A1 (en) Online purchase with mobile payment device and method
CN106161475B (zh) 用户鉴权的实现方法和装置
US20170331821A1 (en) Secure gateway system and method
CN105592180B (zh) 一种Portal认证的方法和装置
KR20220019834A (ko) 디바이스로의 보안 자격증명 전송을 인증하는 방법 및 시스템
KR20220167366A (ko) 온라인 서비스 서버와 클라이언트 간의 상호 인증 방법 및 시스템
EA015725B1 (ru) Способ осуществления защищенных транзакций
EP3289724B1 (fr) Première entité, seconde entité, noeud intermédiaire, procédés d'établissement de session sécurisée entre des première et seconde entités, et produits programmes d'ordinateur
JP6466150B2 (ja) データネットワーク上で1つのサービスのユーザアカウントにアクセスするための認証方法および認証デバイス
JP2016066298A (ja) 中継装置、通信システム、情報処理方法、及び、プログラム
US20220116390A1 (en) Secure two-way authentication using encoded mobile image
US20210150520A1 (en) Method for authenticating payment data, corresponding devices and programs
EP3732852B1 (fr) Procédé d'authentification à l'aide d'un terminal mobile utilisant une clé et un certificat stockés sur un support externe
CN113032761A (zh) 保护远程认证
KR101879842B1 (ko) Otp를 이용한 사용자 인증 방법 및 시스템
KR20170070379A (ko) 이동통신 단말기 usim 카드 기반 암호화 통신 방법 및 시스템

Legal Events

Date Code Title Description
AS Assignment

Owner name: INGENICO GROUP, FRANCE

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:NACCACHE, DAVID;REEL/FRAME:038082/0160

Effective date: 20160118

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE AFTER FINAL ACTION FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED

STCF Information on status: patent grant

Free format text: PATENTED CASE

AS Assignment

Owner name: BANKS AND ACQUIRERS INTERNATIONAL HOLDING, FRANCE

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:INGENICO GROUP;REEL/FRAME:058173/0055

Effective date: 20200101

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4